Hi!
I want to migrate my existing DNS setup to FreeIPA. As this existing
setup already uses DNSSEC, I want to import my current DNSSEC keys into
FreeIPA to have a smooth transition over to IPA's DNS. (The authorative
DNS servers for the zones are set up as slaves that get the zone via
AXFR and can
On 12.08.2016 13:58, Petr Spacek wrote:
> On 12.8.2016 13:26, Guido Schmitz wrote:
>> Hi!
>>
>> I want to migrate my existing DNS setup to FreeIPA. As this existing
>> setup already uses DNSSEC, I want to import my current DNSSEC keys into
>> FreeIPA to have a sm
the zone subtree (cn=keys,idnsname=myzone.com,cn=dns) in LDAP, but the
command "sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
ods-ksmutil key list --verbose" shows, that the newly imported key (I've
carried out tests only with the KSK so far) is assigned to the zone and
is
>
> Now it is getting interesting :-)
>
> First of all, what version of FreeIPA packages and on what distro are you
> using? There are significant differences between package versions.
I am running Fedora 23 (inside an LXC on a Proxmox host) with FreeIPA
4.3.1 from COPR.
>
> The export is hand
>> Still, there is one problem:
>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
>> in LDAP (under attribute idnsSecAlgorithm in the entry
>> cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns)
[paths.DNSSEC_KEYFROMLABEL, '-K', workdir, '-a',
attrs['idnsSecAlgorithm'][0], '-l', uri]
---
> algo = attrs['idnsSecAlgorithm'][0]
> if algo == 'RSASHA1NSEC3SHA1':
> algo = 'NSEC3RSASHA1'
